Fuel for OpenStack

fuel master nginx has debug turned on for the error logs

Bug #1585722 reported by Alex Schultz
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
High
Alex Schultz
Fuel for OpenStack 10.0
7.0.x
Fix Released
High
Maksim Malchuk
Fuel for OpenStack 7.0-mu-6
8.0.x
Fix Released
High
Sergii Rizvan
Fuel for OpenStack 8.0-mu-4
Mitaka
Fix Released
High
Maksim Malchuk
Fuel for OpenStack 9.0

Bug Description

Detailed bug description:
 The fuel master has debug turned on for the nginx error logs.

Steps to reproduce:
1) deploy environment
2) look at the nginx services and repo error logs

Expected results:
The logs should not have debug information by default.

Actual result:
Debug is enabled.

Reproducibility:
Always.

Workaround:
None.

Impact:
In production the logs should not be set to debug as it may generate large quantities of logs and contain information we don't want.

This was turned on starting with 7.0.

See original description
Alex Schultz (alex-schultz)
description: updated
Alex Schultz (alex-schultz)
information type: Public → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/321139

Changed in fuel:
assignee: nobody → Alex Schultz (alex-schultz)
status: New → In Progress
Oleksiy Molchanov (omolchanov)
tags: added: area-library
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/321139
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=fbdb67fd94a46f567b09ca5d18f1003bf0f9e1f1
Submitter: Jenkins
Branch: master

commit fbdb67fd94a46f567b09ca5d18f1003bf0f9e1f1
Author: Alex Schultz <email address hidden>
Date: Wed May 25 11:28:24 2016 -0600

    Disable debug for nginx error logs

    This change removes the debug option from the error logs. By default
    the error level will be error if no severity level is specified.
    Previously the debug level was hard coded which could lead to large logs
    or information being leaked to the error log.

    Change-Id: I9db3c69d78c8fed8dab39f4dadb1b613ade59f90
    Closes-Bug: #1585722

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/322727

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/322735

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/7.0)

Fix proposed to branch: stable/7.0
Review: https://review.openstack.org/322736

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/mitaka)

Reviewed: https://review.openstack.org/322727
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=aad8945f765fd4c90021889c01969ebf777f66e8
Submitter: Jenkins
Branch: stable/mitaka

commit aad8945f765fd4c90021889c01969ebf777f66e8
Author: Alex Schultz <email address hidden>
Date: Wed May 25 11:28:24 2016 -0600

    Disable debug for nginx error logs

    This change removes the debug option from the error logs. By default
    the error level will be error if no severity level is specified.
    Previously the debug level was hard coded which could lead to large logs
    or information being leaked to the error log.

    Change-Id: I9db3c69d78c8fed8dab39f4dadb1b613ade59f90
    Closes-Bug: #1585722
    (cherry picked from commit fbdb67fd94a46f567b09ca5d18f1003bf0f9e1f1)

Maksim Malchuk (mmalchuk)
no longer affects: fuel/newton
tags: added: team-bugfix
Mikhail Samoylov (msamoylov)
tags: added: on-verification
Revision history for this message
Mikhail Samoylov (msamoylov) wrote :

Verified in 445 MOS ISO.

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Hi, does branch master means that the bug is fixed for MOS Mitaka and MOS 9.1?
What's the status of this bug for MOS 9.1?

tags: added: feature-security
Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

OK, see fix is commited.

Maksim Malchuk (mmalchuk)
no longer affects: fuel/newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/7.0)

Reviewed: https://review.openstack.org/322736
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=1c8902ecc81b11399515718bce7cd71705e19a40
Submitter: Jenkins
Branch: stable/7.0

commit 1c8902ecc81b11399515718bce7cd71705e19a40
Author: Alex Schultz <email address hidden>
Date: Wed May 25 11:28:24 2016 -0600

    Disable debug for nginx error logs

    This change removes the debug option from the error logs. By default
    the error level will be error if no severity level is specified.
    Previously the debug level was hard coded which could lead to large logs
    or information being leaked to the error log.

    Change-Id: I9db3c69d78c8fed8dab39f4dadb1b613ade59f90
    Closes-Bug: #1585722
    (cherry picked from commit fbdb67fd94a46f567b09ca5d18f1003bf0f9e1f1)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/8.0)

Reviewed: https://review.openstack.org/322735
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=5139e2984bc5a4ed6877ca547681be72d84c3374
Submitter: Jenkins
Branch: stable/8.0

commit 5139e2984bc5a4ed6877ca547681be72d84c3374
Author: Alex Schultz <email address hidden>
Date: Wed May 25 11:28:24 2016 -0600

    Disable debug for nginx error logs

    This change removes the debug option from the error logs. By default
    the error level will be error if no severity level is specified.
    Previously the debug level was hard coded which could lead to large logs
    or information being leaked to the error log.

    Change-Id: I9db3c69d78c8fed8dab39f4dadb1b613ade59f90
    Closes-Bug: #1585722
    (cherry picked from commit fbdb67fd94a46f567b09ca5d18f1003bf0f9e1f1)

Revision history for this message
TatyanaGladysheva (tgladysheva) wrote :

Verified on MOS 7.0 + MU6 updates.

tags: removed: on-verification
TatyanaGladysheva (tgladysheva)
tags: added: on-verification
Revision history for this message
TatyanaGladysheva (tgladysheva) wrote :

Bug is still reproduced on 8.0 + MU4 updates.

Fix https://review.openstack.org/#/c/322735/ is included in fuel-library8.0-8.0.0-1.mos7850.noarch which is installed on master node, but still there are a lot of 'debug' messages in nginx logs:
[root@nailgun ~]# cd /var/log/docker-logs/nginx/
[root@nailgun nginx]# ll
total 170112
-rw-r--r-- 1 root root 0 Mar 1 13:05 access.log
-rw-r--r-- 1 dockerroot polkitd 0 Mar 3 03:32 access_nailgun.log
-rw-r--r-- 1 root root 185037 Mar 3 03:31 access_nailgun.log-20170303.gz
-rw-r--r-- 1 dockerroot polkitd 0 Mar 3 03:32 access_repo.log
-rw-r--r-- 1 root root 19216 Mar 2 09:13 access_repo.log-20170303.gz
-rw-r--r-- 1 dockerroot polkitd 2069577 Mar 5 06:10 error.log
-rw-r--r-- 1 dockerroot polkitd 226431 Mar 5 00:00 error.log.1.gz
-rw-r--r-- 1 root root 221051 Mar 3 03:31 error.log-20170303.gz
-rw-r--r-- 1 dockerroot polkitd 256730 Mar 4 03:11 error.log-20170304.gz
-rw-r--r-- 1 dockerroot polkitd 34720 Mar 5 03:10 error.log-20170305.gz
-rw-r--r-- 1 dockerroot polkitd 0 Mar 3 03:32 error_nailgun.log
-rw-r--r-- 1 root root 105407448 Mar 3 03:29 error_nailgun.log.1
-rw-r--r-- 1 root root 47635 Mar 3 03:31 error_nailgun.log-20170303.gz
-rw-r--r-- 1 root root 8177244 Mar 2 21:29 error_nailgun.log.2.gz
-rw-r--r-- 1 root root 8442956 Mar 2 15:29 error_nailgun.log.3.gz
-rw-r--r-- 1 root root 8618957 Mar 2 11:30 error_nailgun.log.4.gz
-rw-r--r-- 1 dockerroot polkitd 0 Mar 3 03:32 error_repo.log
-rw-r--r-- 1 root root 40454913 Mar 3 03:22 error_repo.log-20170303
[root@nailgun nginx]# grep -c debug error_nailgun.log.1
1397542
[root@nailgun nginx]# grep -c debug error_repo.log-20170303
490523

tags: removed: on-verification
Revision history for this message
Sergii Rizvan (srizvan) wrote :

@Tatyana, maybe fuel-docker-images package wasn't updated?

I checked nginx log with next versions of packages on Fuel Master and there no debug messages anymore:

[root@localhost nginx]# rpm -qa | grep fuel-library8.0
fuel-library8.0-8.0.0-1.mos7853.noarch
[root@localhost nginx]# rpm -qa | grep fuel-docker-images
fuel-docker-images-8.0.0-29.x86_64

Actually a bit of debug messages still present in log, because MOS 8.0 ISO contains old versions of packages and this messages should be present in the log until we update master node.

Revision history for this message
TatyanaGladysheva (tgladysheva) wrote :

Verified on 8.0 + mu4 updates.

[root@nailgun nginx]# rpm -qa | grep fuel-library8.0
fuel-library8.0-8.0.0-1.mos7853.noarch
[root@nailgun nginx]# rpm -qa | grep fuel-docker-images
fuel-docker-images-8.0.0-29.x86_64

Checked one more time. Debug messages are present in nginx logs before updates. After updates these messages stay in logs, new debug messages don't appear.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.